Measure Everything

Did the user watch the training video? How much of the video did the user watch?

Did the user open the phishes? Did the user open the educational emails?

How long does it take for the user to relapse or forget their training?

What was the cumulative risk of that user each month?

How many months has the user spent as Low, Medium and High risk?

What was the cumulative difficulty of the phishes sent during the attack emulations this month compared to the previous month?

What types of phishes is the user most susceptible to?

Adjust Accordingly (Mass Customization)

Security Awareness Training & Education or (SATE) programs should customize training frequency, content and attack simulations to the individual needs of each user.

For example: Most people in this room would be classified as “Low Risk” users. Why should a SATE program waste the time of “Low Risk” users doing needless training. Alternatively, high risk users tend to need so much education that the impact on human resources would be cost prohibitive without “Mass Customization”

Train according to need and escalate frequency for user training and testing as needed.

Change the tone of training materials based on user risk
(higher risk == more aggresive)

Only send high difficulty phishes and spear phishes to low risk users.

High Frequency – “Micro Training”

User attention spans are at an all time low and training programs need to join the modern era, by keeping training short.

Training should be between 10 seconds to 1 minute

Training should drive home a single point and not cover multiple topics

Training should be offered in multiple formats/styles so the user can engage with the content they prefer.

High Frequency Attack Emulations

Phishing attack emulations against your users is where you get some of your most key metrics and the best way to truly understand your risk

Attack emulations should vary in difficulty and frequency just like real life

Emulations should include:

Spear Phishing

Complex General Target Phishes

Easily Identifiable Mass Phishes (nigerian style)

Get creative with these and be proactive with your training. If there is a specific phish hitting your industry then conduct attack emulations of that exact threat before it happens.

Users will be better prepared if/when they do see it

Avoid Dashboard Overload

Users are less likely to login to a training portal than to open an email.

Phishing is primarily an email based risk – deliver training content to the user’s inbox

Engage with the user however works best

Do they respond better to a text message?

Do they respond better over the phone?

Do they respond better via email?

Just In Time Training

When the user makes a mistake they are uniquely open to learning at that exact moment. Don’t waste time exploiting users and instead have an emotion invoking landing page that has a single clear message.

Immediately after the user clicks on a phish have them automatically sent saying “Hey, we saw you clicked on this….here are some tips”

Make those tips specific to the phishing emulation the user received

When they do good you should tell them, send users who didn’t click on phishes a good job email.

Human Intervention

Let’s face it technology can only drive risk so low….in order to remediate the incessant clickers you need to make sure the user knows they are being held accountable for their actions.